New mntner Object Format

1) Abstract

Consequent to the community's request in December 2012, the AFRINIC whois database will no longer display hashes of MD5 and CRYPT encrypted passwords in all mntner (whois database) objects.

Currently, majority of objects in the AFRINIC whois database are protected by and authenticate through a mechanism that uses clear text passwords encrypted with the md5 algorithm for authentication. There are two major concerns with this method:

The md5-hashed password has traditionally been visible in all mntner objects. This makes it vulnerable to crackers, given that computers these days are armed with more than enough processing power to unhash these passwords in a relatively short time.

When performing a whois database update, plain text passwords are attached into the objects to be updated and sent by email to the whois database. This introduces a possibility for the password to be sniffed in case there is no form of encryption between the sender, recipient and their relaying Mail Transfer Agents.

AFRINIC has enabled a filter in the whois database such that whois queries do not display those hashes again. This mitigates the potential for anyone to run a simple script or program that will crack these passwords, as they are no longer visible.

2) Updating objects in the whois database

Authenticating against a maintainer object to update its protected object, and, creating, modifying or deleting child objects protected by the parent object's mnt-lower or (mnt-domains).

2.1) Modifying a mntner object

The process to create a new mntner object remains completely unchanged. However, once created, modifying and deleting an existing mntner requires the object owner to have access to the md5 and/or CRYPT hash that was used to create the mntner in the first place if the modifications involve other attributes.

It is therefore important that the hash be kept by the object owner for future retrieval when updating existing mntner objects. Below are examples of mntner objects, showing the previously unfiltered hash in the top object, and the new format at the bottom object, showing the hashes filtered.

Below are examples of mntner objects, showing the previously unfiltered hash in the top object, and the new format at the bottom object, showing the hashes filtered.

To modify an existing mntner:

a) Query the AFRINIC whois database for your object, add the hash to the result and send it to the server for updating, as follows:

b) If the e-mail returned by the server indicates that the update failed, there is a possibility that the hash was wrong (in which case a syntax error will appear in the bounce) or the clear text password was not correct (this will be shown as an authentication error)

c) In case you cannot retrieve your md5 hash (but know your plain text password that was used to generate the hash), it is possible to simply re-generate a new hash of the same password.

The generated hash can be copied and pasted into your mntner object and submitted for update as usual.

d) If your password is lost (irrespective of availability of the md5 hash), it is not possible to update the object. You must contact AFRINIC for the standard lost mntner password process, by simply mailing
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
with a request for a new password. Please note that:

The password change request must come from an authorized contact. If there has been change of contacts, we shall request an official signed letter from a senior executive of your organization detailing the new contacts.

3) Using PGP authentication (instead of md5 and CRYPT-PW)

In addition to MD5, the AFRINIC whois database supports PGP for authenticating whois database updates. In contrast to MD5, PGP provides stronger encryption techniques and guarantees that the signed update message was not tampered with. It is works by using a pair of keys generated by the user. The public key is uploaded to the whois database inside a key-cert object, and the user's email updates are signed using the private key on the user's device.

Since most whois database updates are submitted by e-mail, the only way to guarantee security is by using PGP, which AFRINIC strongly recommends to our members and the community.

This is because with the MD5 method, updates submitted by email are authenticated by the user inserting a clear text password in the e-mail body. Despite using technologies like SSL and TLS, AFRINIC has no control over all the stages that an e-mail goes through before final delivery to our whois server.

Combining different auth mechanisms

The whois database supports use of multiple authorization mechanisms in one mntner object. If an object is protected with a mntner that contains multiple md5 passwords and PGP keys, any one of the correct passwords or PGP-signed emails will authenticate. The mntner object captured below contains two "auth" attributes for both md5 and PGP authentication mechanisms. Either of the attributes can be used to authorize updates.

mntner: TOTO-MNTdescr: Maintainer Toto telecomadmin-c: ABC1-AFRINICtech-c: DEF1-AFRINICupd-to:
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
mnt-nfy:
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
auth: MD5-PW $1$09nxAH88$ZaDWuXGdly2boQi69atbN.auth: PGPKEY-476A541Emnt-by: TOTO-MNTchanged:
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
source: AFRINIC

4) FAQ: Filtered MD5 Hashes

Why did AFRINIC decide to hide the MD5 hash? Because some one can crack it using any computer or even smartphone. Hiding it provides a deterrent from crackers trying all sorts of things on your hash.

Can I update a mntner object without inserting the md5 hash?No. You must replace the "FILTERED" string in the auth attribute with the actual encrypted hash otherwise the update will fail.

I have forgotten my md5 hash.If you remember the plain text password instead, please use our online md5 encrypted password generator. A different hash of the same password will be generated which can be used to update (but not delete) the object

I know my plain text password. How can I get my md5 hash?By using our online encrypted password generator. Please note the hash will always be different, as it's generated based on a timestamp.

MD5 seems insecure. Are there other options?You can use PGP, which involves using a pair of keys. More information about using PGP with the AFRINIC whois database can be found here.

Can I still create customer assignments without knowing the hash?Yes. All you need is to submit those assignments along with a clear text password to the whois database. You can even use MYAFRINIC for that.

Does rDNS still work as before? Yes. All other objects as well as whois database update procedures remain unchanged. Only mntner objects are affected, in that you need to have that hash handy whenever you must edit your mntner (which is not very common).

How do I use PGP with the AFRINIC whois database?Having generated your PGP key-pairs, export your public key into the whois database using a key-cert object. Then sign all your database updates using your private key. Please look here for more information.

Can I use both PGP and MD5 encryption concurrently? Yes. Either of the authenticated mechanisms will work if specified in a given mntner object.

How can I get additional help?Please mail
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
for any assistance with the AFRINIC whois database or call +230 403 5104. You can also use Skype to call us for free on regular Skype user "skype2afrinic".